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Abstract 



, We introduce the Shifted Legendre Symbol Problem and some variants along with efficient 

quantum algorithms to solve them. The problems and their algorithms are different from previ- 
f — , ous work on quantum computation in that they do not appear to fit into the framework of the 

Hidden Subgroup Problem. The classical complexity of the problem is unknown, despite the 
various results on the irregularity of Legendre sequences. 

r—i '. 

§ '■ 1 Introduction 

All known problems that have a polynomial time quantum algorithms but have no known poly- 
nomial time classical algorithm are some variant of the Hidden Subgroup Problem. The problem 
is: given a function on a group G that is constant and distinct on cosets of some unknown sub- 
group, find a set of generators of the subgroup. An example of a problem that can be viewed in 
this framework is Shor's algorithm for factoring. In this case the problem reduces to finding the 
period of a function, which amounts to finding the hidden subgroup of a cyclic group. The variant 
k> ' * n ^is case is that the group size is unknown. Much of the research in quantum algorithms has 

focused on first reducing the problem to a variant of the Hidden Subgroup Problem (hsp), and 
then extending the machinery to handle the particular variant. Some examples of this include 



H, |ij,y,|L3,y,|ij,|P6|,y,|rj. 

In this paper we introduce the Shifted Legendre Symbol Problem (slsp), which does not appear 
to be an instance of the Hidden Subgroup Problem. As such, the quantum algorithm for the slsp 
deviates from the structure of the algorithms that solve the HSP. The quantum component of the 
previous algorithms has two basic steps. The first is to set up an equal superposition over group 
elements by computing the Fourier transform, after which some function evaluation is executed, 
such as | a?) — > \x,f(x)) or \x) — ► (— l)f( x ^\x). The second step is to Fourier sample the state 
0], i.e. to compute the Fourier transform and measure. The algorithm in this article starts with 
the state setup as before, but Fourier sampling is not sufficient, because after the second step the 
resulting distribution is uniform no matter what instance of the problem is given. This is very 
different from the hsp algorithm, where the distribution induced by Fourier sampling is enough to 
solve the problem. There is also another difference. In general, a Fourier transform is defined in 
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terms of a group, and as a result previous algorithms relied solely on properties of groups, such 
as what their irreducible representations are. One variant of the SLSP we solve is its extension to 
general finite fields. In contrast to previous algorithms, our algorithm uses a transform that depends 
on the fact that there is an underlying field, which supports both addition and multiplication. 
The Shifted Legendre Symbol Problem is defined as follows. Given a function / and an odd 



prime p such that f(x) = y^-j, find s - Here y^j is the Legendre Symbol, which is 1 if x is 
a square mod p, —1 if it is not, and if p\x. We also introduce a few variants of this problem. 
The first variation is the Shifted Jacobi Symbol Problem. The setup is the same as the original 
problem, except that instead of a prime p, an odd square free n = p\ ■ ■ ■ Pk is used and the function 
is f s (x) = f 2 ^), where (^) is the Jacobi symbol. The second variant also keeps n unknown. To 
still be able to define the function a new domain of size M is used where M is an arbitrary integer 
much larger than n and the shifted Jacobi symbol is repeated out to M . The quantum algorithm 
uses a property of the Jacobi symbol to first find the period n of the function, and then uses the 
algorithm for the Shifted Jacobi Symbol Problem. The last variant is a generalization of the SLSP 
to general fields. Here the function is a shifted version of the quadratic character \ over t ne finite 
field: x( x ) is 1 if x is a square in ¥ q , —1 if it is not a square, and x(0) = 0. The algorithm in this 
case is more complicated and involves properties not existing in purely group theoretic problems. 
In particular the trace of field elements is used in the transform. 

The classical complexities of the problems are unknown. When the field size is known, the 
problem has polynomial query complexity, but it is unknown if they have polynomial time algo- 
rithms. In any case, we hope that the general structure of our algorithm will lead to new quantum 
algorithms. 

Related Work. Finding an efficient quantum algorithm for the Shifted Legendre Symbol 
Problem was originally posed as an open question in van Dam [||. 

Many papers have studied the properties of Legendre and Jacobi sequences, as referenced in 
[||, ||, 17]. In cryptography, Damgard || has suggested using shifted Legendre and Jacobi sequences 
as pseudo-random bits in the following sense. The seed to the generators are two unknown values 

s\ { s+l\ ( s+t-l 



s and p. Consider the sequence y^j , y^rj > • • • j [jp — J' where t is a polynomial in logp. If 

it is hard to predict the next bits f ^rj > ( 3+ p +1 ) > • • ■ f rom this sequence, then we consider the 
Legendre sequence 'unpredictable'. Damgard showed that if Legendre sequences are unpredictable 
in a very weak sense, then Jacobi sequences (defined similarly) are unpredictable in a very strong 
sense. Whether or not Legendre sequences are indeed unpredictable is still an open question. 

The SLSP with unknown p is at least as hard as the problem posed by Damgard in the sense 
that solving the SLSP yields the value s, with which the next bits can be computed. However, it is 
also potentially easier to solve because an SLSP algorithm is allowed to query the string adaptively. 

Current problems that have exponential separations between their quantum and classical com- 
plexity can be viewed as variants of the Hidden Subgroup Problem. The algorithm to solve these 
problems first creates a state that is uniform over a coset of a subgroup and then computes the 
Fourier transform and measures. The recursive Fourier sampling problem [Q] is not directly an 
instance, but uses the same exact properties in reverse. That is, in the Hidden Subgroup Problem 
algorithm the Fourier transform takes a state that is uniform over a coset to a perp subgroup 
state where the coset is encoded in the phases of the basis vectors. The reverse operation is to 
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start with the phases, and to compute the Fourier transform to find the coset. One level of the 
recursive Fourier sampling problem does this with the subgroup restricted to trivial: the map is 
^2xeZ n (~^) XS \ x ) — > I s )' wnere s is the coset. This problem is perhaps the closest in structure 
to ours, but as mentioned, the new algorithms presented here do not rely only on this property of 
cosets being taken to perp subgroups with phases. 



2 Preliminaries 

In this section we first define the problems we solve and then we provide other background necessary 
for the rest of the paper. 

For a prime p, the Legendre Symbol (j^j is defined to be 1 if x is a quadratic residue, —1 if 

x is a quadratic non-residue modulo p, and if p\x. The Legendre symbol can be extended in 
several ways. Here we will do so by defining it for for rings Z n and finite fields ¥ q . For an integer 

n = pi • • • pk the Jacobi Symbol (^) is defined by (^) = (j^j " " " (^~)> wnere the respective (j^J 
are Legendre Symbols and the product is over all the prime factors pi of n, with repetitions. For a 
finite field ¥ q and x 6 ¥ q , the quadratic character x( x ) is 1 if x is a quadratic residue, — 1 is x is a 
quadratic non-residue, and if x = 0. 

We can now define the problems solved in this paper. The first problem is the basic example 
which the others build on. 

Definition 1 (Shifted Legendre Symbol Problem) Given an odd prime p and a function f s : 
F p — > {-1, 0, 1} such that f s (x) = (j^j for some s G ¥ p , find s. 

The first variant extends the definition to rings. 

Definition 2 (Shifted Jacobi Symbol Problem) Given a square free odd integer n and a func- 
tion f s :Z n —>- {—1,0, 1} such that f s (x) = (^^)- Find the unknown shift factor s G Z„. 

If the integer n is not square free, the Shifted Jacobi Problem does not have a unique answer 
anymore. Consider for example the equality, = (zjfy (^±e) = (j) (j) = (j^ , for all 

x £ Z p 2. Instead we could define the task to find one of the values s' such that f s (x) = (^^-^j ■ 
This problem is again efficiently solvable on a quantum computer. 

The goal of the second variant is to also keep n unknown in the Shifted Jacobi Symbol Problem. 
Notice that the SLSP with p unknown is a special case of this problem. 

Definition 3 (Shifted Jacobi Symbol Problem, unknown n) Given an integer M and a func- 
tion f s : Zm — ► {—1,0, 1} such that f s (x) = for some integer odd square free n, with n 2 < M , 
find s and n. 

The last variant is a generalization to all possible finite fields. 

Definition 4 (Shifted Quadratic Character Problem) Given q = p r , a power of an odd prime 
p, and a function f : ¥ q — > {— 1, 0, 1} such that f(x) = \{ x + s ) f or some s £ ¥ q , find s. Here x is 
the quadratic character of¥ q . 
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We will now give some background on finite fields, the representation we use, and the time it 
takes to do basic computations. 

Consider the finite field F„ with q the rth power of the prime p. In this article the elements 
x £ F q are represented as polynomials in F P [X] modulo an irreducible polynomial in F P [X] of degree 
r. The F p coefficients of such a polynomial are denoted by Xj, that is x = Z r jZlxjXi. When we 
write \x) we mean \xq,xi,... ,x r -\). With this representation the bit-complexity of adding or 
subtracting two elements of ¥ q is O(logg). Multiplication and division require 0((logq) 2 ) bit 
operations for this 'model' for ¥ q . (See, for example, Chapter 6 in [Q] for details on this.) 

For a finite field ¥ p r the trace of an element x is defined by 

r-l 

Tr{x) = J^^- 
3=0 

By the equality (Tr(x)) p = Tr(x) we see that the trace maps the elements of the finite field to its 
base field ¥ p . Because Tr(x) is a polynomial of degree p r ~ l (less than p r ), it is a non-constant 
function. We also have, using (x + y) p = x v + y p , 

Tr(ax + by) = aTr(x) + 6Tr(y) 

for all a,b £ ¥ p and x,y £ ¥ q . It follows that the trace of x = X]j=o ^j^"' equals the summation 
X^=o a; jTr(X : ') over the base field ¥ p . With this property it can be shown that the calculation of 
Tr(x) requires 0((logg) 2 ) bit operations 

The main operation used in quantum algorithms is the Fourier transform. Here we will need to 
compute the Fourier transform over Z p for a large prime p, which is defined by 



P-i 

\x) — ► J-^2 e ^y)/p\ 
VP y=0 



It is unknown how to efficiently compute this transformation exactly. Approximations have been 



given in [12, 14 1. From [Q] we have: there is a quantum algorithm which e-approximates the 
quantum Fourier transform over 7L V for an arbitrary ra-bit p and any e and which runs in time 
O (n log j + log 2 i) . We will denote the pth. root of unity e 27rl//p by lj . 

We will also need a result about Fourier sampling (computing the Fourier transform and mea- 



suring) repeated superpositions [12|. Suppose we want to compare the distribution induced by 
Fourier sampling a state \(p) with the distribution induced by Fourier sampling the state \<p) which 
is \4>) repeated many times. It turns out this is possible but we need to define special distributions 
to do it. The problem is that [</>} has a larger support, so we need a way to shrink the domain 
so the two can be compared. The way to do it is to use continued fractions on the result of the 
sample. We will now formalize this. 

For simplicity we will suppress a detail or two to make this more readable. Let \(f>) = ^x=o ^{x) 
be an arbitrary superposition, and let V w the distribution induced by Fourier sampling \<f>). Let 
the superposition \(f>) = c - X^l't) 1 0a; mod n I s ) be \4>) repeated until some arbitrary integer M, not 
necessarily a multiple of n, where c is the proper normalization constant. Let X>a\ be the distribution 
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induced by Fourier sampling \<f>). Notice that V w is a distribution on {0, . . . ,n — 1} and is a 
distribution on {0, . . . , M — 1}. 

We can now define the two distributions we will compare. Let 2?Fjf be the distribution induced 
on the reduced fractions of that is, if x is a sample from T> w , we will return the fraction x/n 
in lowest terms. In particular, define ^^(j, k) = V w (jm) if mk = n. Let be the distribution 
induced on fractions from first sampling T>^ and then running continued fractions on the result 
and M. If M = Q(^) and M = Q(f), then \T>** - £ff> |i is upper bounded by about n/VM. 

This basically says that to understand the distribution induced by Fourier sampling a repeated 
state, only the distribution induced by Fourier sampling non-repeated state has to be understood. 
However, it is not the exact distribution of the unrepeated state, since we look at the distribution 
over reduced fractions. We will use this to solve the unknown n case of the Jacobi problem. 

3 An Algorithm for Prime Size Fields 

In this section we give algorithms solving the Shifted Legendre Symbol Problem and variants when 
working over a finite field of prime size. The main ideas are contained in the algorithm for the 
Shifted Legendre Symbol Problem, and we can apply the same algorithm to solve the same problem 
when p is unknown, and also to solve the Shifted Jacobi Symbol Problem. 

The idea for the algorithm follows from a few known facts. Assume we start the algorithm in 
the standard way, i.e. by putting the function value in the phase to get |/ s ) = Yliez p (^) I*)" 
Assume the functions fi are orthogonal (they are close to orthogonal). Define the matrix C where 
the i th row is Our quantum state |/ s ) is one of the rows, so C\f s ) = \s). The issue now is 
how to efficiently implement C. C is a circulant matrix, i.e. Cjj = Cj+ij+i. The Fourier transform 
diagonalizes a circulant matrix: C = F p (F~ 1 CF p )F~ 1 = F p DF~ l , where D is diagonal, so we can 
implement C if we can implement D. It turns out that the vector on the diagonal of D is the vector 
^p|/o)j but |/o) is an eigenvector of the Fourier transform, so up to a global phase which we can 
ignore, we are done. To summarize: to implement C, we compute the Fourier transform, compute 
/o into the phases (this is just the Legendre Symbol), and then compute the Fourier transform again 
(it is not important whether we use F p or F' 1 ). We will now present this algorithm step-by-step. 

Algorithm 1 (Shifted Legendre Symbol Problem) 

Input: An odd prime p and a function f s such that f s (x) = (^|r) for all x G 7L p . 
Output: s. 

1. Compute the Fourier transform overZ p o/|0) and compute f s into the phases, approximating: 

Jp=\ ^ ( p ) 

2. Compute the Fourier transform over Z p : 

7h S v (?) w 
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3. Compute fo into the phases, approximating: 

4- Compute the inverse Fourier transform over Z p ; this gives the answer \ — s). 



Theorem 1 Algorithm^ solves the Shifted Legendre Symbol Problem in two queries and polynomial 
time with probability exponentially close to one. 

Proof: The first step is a standard setup used in quantum algorithms. The only difference is that 
f s evaluates to zero in one position. In this case, just treat it as a one. After this the state is 
exponentially close to the state shown. Recall that the Legendre Symbol (^J is zero when p\x, so 
one amplitude is zero. 

The result of applying the Fourier transform is (where we replace x with x — s) 

_ly X + s\ _ -J=y — W~W*- S) h/>- 

V^T^oV P J 1 VFT^^oW P 

Factoring out the u> p ys term, using the change of variable z = xy, and using the facts that 

= (?) (£) md (*?) = (?) ™ to ™ 

So we are left to evaluate Yl P z =o (p) u pi which is the Gaufi sum ||, ^0|, and is ^fp if p = 1 mod 4 
and is \^fp if p = 3 mod 4. Hence, up to a global constant which we can ignore, the state follows. □ 

Corollary 1 Algorithm can be used to solve the Shifted Jacobi Symbol Problem. 

Proof: We start with the uniform superposition of Z n and calculate the function value f s for each 
element: 

J-Y\x,o) — » 4= Y (— ))■ 

Next, we measure if the rightmost value is non-zero. If this is the case, which happens with 
probability <j){n)/n (where <f> is Euler's phi function obeying 4>(n) = |Z*|), the state has collapsed 
to the superposition: 

I y2 \x, (^)). 



yJV- 1 y/P 



( z 
E ( p 

.2 = V ^ 
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Otherwise, we simply try again the same procedure. (The success probability (j){n)/n is lower 
bounded by 0(1/ log(logn)), see Q, hence we can expect to be successful after 0(log(log n)) trials.) 

We continue with the reduced state by changing the phase of \x) to f 2 ^) and uncomputing 
the function value again, giving 

' Ef^V 



Let n = pi ■ p2 ■ ■ ■ Pk be the prime decomposition of n such that 7L n = Z Pl x • • • x Z Pfe . Us- 
ing Shor's algorithm 1 15], we can determine these factors efficiently. Because f 2 ^) = 



X + Sl 

Pi 



x+s 2 ) . . . ( x+s k 
P2 J V Pk 



we can just consider each pj component separately (with si = smodpi, 
S2 = smodp2j et cetera). Hence, by performing the 'inverse Chinese remainder' map |x) — > 
\x mod pi, . . . ,x mod p^), we obtain the state 

xi& P1 x k & Pk v yi / \ ™ / j=i Xj ez Pj v n J 

But now we use Algorithm |l| on each factor to get | — s\ , . . . ,—Sk), after which the Chinese remainder 
theorem gives us the answer s. □ 
We now give an algorithm for the above problem when also n is unknown. In addition to using 
known techniques, the algorithm depends on the fact that sampling the Fourier transform of the 
shifted Legendre Symbol results in the uniform distribution on Z*. 

Algorithm 2 (Shifted Jacobi Symbol Problem, unknown n) 

Input: An integer M and a function f s : {0, ... , M — 1} — > { — 1,0, 1} such that f s {x) = (^^) for 
some integer n, with n 2 < M 
Output: n and s. 

1. Create the following state as in Corollary [/|: 

-E ^ >> 

2. Compute the Fourier transform overl^M- 

3. Measure, with outcome i, and use continued fractions on i and M, returning j/n. 
4- Run Algorithm [/] using f s and n. 

Theorem 2 Algorithm [I] solves the Shifted Jacobi Symbol Problem with unknown n in quantum 
polynomial time with high probability. 
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Proof: Let \ip s ) - 



J2x=o i^nr) l x ) ^ e ^ e s ^ a te after the setup in Corollary [l] and let \ip s 



be the repeated version in Algorithm where c is the normalizing constant. 
We can relate the distributions induced by Fourier sampling \<p s ) and \<fi s ) using the discussion in 
Section 2. If M = n then Lemma |l] implies that i is uniformly distributed over Z* and we would 
be done since the denominator returned by continued fractions is n in this case. However this will 
still be the case even if M / n. If M is a multiple of n and if the Fourier transform of \ifj s ) is 
Ylx=o Oi x \x), then the Fourier transform of \tp s ) is ^2^=0 &x\M/n • x), so we get what we want. If 
M is not a multiple but is large enough, the distributions as discussed in Section 2 are e-close. □ 

Lemma 1 Let n be an odd square free integer. If we apply the quantum Fourier transform over 
Z n to the superposition of the states (^p) \x) for all x £ Z„, we establish the evolution 



£ 

X&L n 



x 



n 



i(n-l)V4 



n 



Proof: First, we note that we can rewrite the output as 



1 



£ 



E 

xez„ 



X + s 



■n 



■'■y 



\y) 



i 



\/n ■ 4>( n . 



■ < 



-*.y 



^ (n 

xez* 



j-y 



\y), 



by substituting x with x + s in the summation and using the fact that (^) = for all x Z* . 
The amplitudes between the square brackets depend on y in the following way. First, we consider 



the case when y is co-prime to n, that is: y G 
then see that 



^, and there exists also an inverse y € Z*. We 



^ in 



xy 



^ (n 

Z6E 



where we used the substitution x <— zy~ l and the multiplicativity of the Jacobi symbol. 

Next, we look at the case where n and y have a common, non-trivial, factor /. We say that 
n = mf and y = rf, and we know that / and m are co-prime (because n is square free). The 
Chinese remainder theorem tells us that there is a bijection between the elements x E Z n and the 
coordinates (x mod m,x mod /) G Z m x Zj, which also establishes a one-to-one mapping between 
and ZL x Z*. This allows us to rewrite the expression as follows. 



E© 



uJ 



j-y 



E 



mf 



xrf 
mf 



E 

xe 



x mod m\ fx mod / 



771 



E 

xiGZ^ 



xir 



/ 

E Ci 



X2&i 



Because / is odd and square free 
concludes the proof of the lemma. 



0, and hence the above term equals zero. This 

□ 
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4 An Algorithm for General Finite Fields 



Here we will solve the general case of the Shifted Legendre Symbol Problem for any finite field ¥ q . 
From now on q = p r , with p an odd prime and the degree r an integer. See Section 2 for details 
about finite fields. The idea used for the SLSP algorithm cannot be used directly here, since the 
matrix is no longer circulant. To get around that problem, we use the following map: 

Lemma 2 (Trace-Fourier Transform over ¥ q ) The unitary mapping 



■'>' 



is computable in polynomial time. 
Proof: Assume that the mapping 



r-l 



\x) — (g)|Tr(xA^')>. 

3=0 

can be computed in polynomial time. First apply this map, and then compute the Fourier transform 
over 17 . This gives us the final state 

We will now show that the map 



i=0^ % GF p ye¥q 



\x) — ► |Tr(x),Tr(xX),... ,Tr(xX r - 1 )) 

is reversible. Let T(x) = [Tr(x), Tr(xX), . . . ,Tr(xX r ~ 1 )]. T is a linear functional since Tr is, so 
if T{a) = T(b) then T{a — b) is the zero vector. We will show that T(x) is not the zero vector 
except for x = 0. Suppose T(x) is the zero vector. Since Tr is not the zero map, choose a £ ¥ q 
such that Tr(a) / 0. Choose Zo, . . . , z r -\ such that Ylj ZjxX^ = a. Then Tr(a) = Tr(^ ■ ZjxX J ) = 
ZjTr^xX^) = 0, since Tr(xX J ) = for all j. But this is a contraction by the choice of a. So T 
is one-to-one. 

We will now show that the map is computable in polynomial time. It is enough if x can 
be computed from Tr(x),Tr(xX), . . . ,Tr(xX r_1 ). But the equations Tr(x) = X^j=o x j / ^ r (^ J )' 
Tr(xX) = Y^j=o XjTr(X- ?+1 ), ... , r Ti(xX r ~ 1 ) = 5Zj=o 3; jTr(X J+r_1 ) are r linear equations in r 
unknowns, and the values Tr(x), Tr(xX), . . . ,Ti{xX r ~ l ) and Tr(X J ) for all j are known, so the 
coefficients xj of x can be solved for using linear algebra. □ 

(We recently learned that, independently, de Beaudrap et al. [|| have used a transform closely 
related to the above for the construction of a different quantum algorithm.) 

Theorem 3 Algorithm [| (see below) solves the Shifted Quadratic Character Problem over any 
finite field with two queries and in polynomial time with probability exponentially close to one. 
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The presentation of the algorithm below differs from the SLSP algorithm in that it does not 
use approximations. Approximations work here also, but here we show how the problem can be 
solved exactly if the base field is of fixed size (so that the Fourier transform is not approximate). 
Also notice that the Trace-Fourier transform is not a unique solution to this problem, any linear 
functional will work in place of Tr. 

Algorithm 3 

Input: A power of a prime q = p r and a function f s such that f s (x) = x( x + s )- 
Output: s. 

1. Use the Fourier transform over % q +i on \0), and two queries to f s to create (with probability 
q/ (q + 1)) the state 

^5,* (i+,)|i>+ >- 

With probability l/(q + 1) this step gives s directly. 

2. Compute the Trace-Fourier transform of Lemma [| over¥ q . In the proof it will be shown that 
the output of this transform equals 



^x(y)^ Ti ~ sy) \y}) +4=1*)- 
K y& q J 



(1) 



The term between the square brackets is known the quadratic Gaufi sum G(¥„), with G(¥ q ) = 
^_ 1 ^-i i r(p-i) 2 /4^ ^ see theorem 11.5.4 in Ml)- With this knowledge we can perform the 
next step. 

3. Uncompute the phases x(y) f or V 7^ 0; an d change the dummy vector to (— l)'"- 1 i r (p— ^V^O). 
By dropping the general phase G(¥ q )/ \fq, we can now write 

^ Q yew q 

for the state. 

4- Finally, compute the inverse Trace-Fourier transform over ¥ q . This gives us the requested 
shift parameter as \ — s) . 

Proof: For the first step we create, with one call to f s the superposition 

1 y^\x,fJx)) + . 1 \5,1), 

where 5 denotes a 'dummy state'. Next, we measure if the rightmost bit is zero. If this is the case 
(probability l/(q + 1)), the state has collapsed to | — s,0), which tells us the value s immediately. 
Otherwise, we are left with the superposition of the entries x with f s {x) = ±1 and the dummy 
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state. This enables us to create the proper phases f s (x) = x( x + s ) an d uncompute (with a second 
f s query) the rightmost bit, which we will ignore from now on. 

At step 2, we perform the Trace-Fourier transform to the state, yielding 

q x& q yeWg V 9 

We rewrite this expression as follows: replace x with z = xy + sy, and use the multiplicativity of 
X and the linearity of the trace in x(z2/ _1 )u;J r ^ 2 ^ = xi 2 ) 1 ^ ■ x(y) w p^ ^ ■ This proves the 
validity of Equation p]. □ 



5 Conclusion and Open Problems 

We have shown the existence of efficient quantum algorithms for several versions of the 'Shifted 
Quadratic Character Problem'. The classical complexity of these problems remains open. In the 



light of Shor's result] 18 1, we would also like to know whether the problems become classically 



tractable if we assume that factoring is easy. 
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A From Legendre Symbols to Gaufi Sums 



A.l Legendre Symbol, Jacobi Symbol, and Quadratic Character 

In this appendix, p is a prime, q is the prime power p r with degree r, and n is a (typically non-prime) 
positive integer. We denote the field of size p by Z p , instead of the perhaps more accurate Z/ (pZ). 
Similarly, the ring induced by modn addition and multiplication is Z n . The finite field of size q is 
described by ¥ q , and hence F p = Z p , but F p 2 7^ Z p 2. The respective multiplicative subgroups are 
indicated by the * superscript: Z*, Z* and F*. 

The Legendre symbol indicates if a non-zero element is a square modulo p or not: 

f if x = mod p 

+1 if there exists aj//0 such that y 2 = x mod p 
— 1 if for all y: y 2 / x mod p. 

Let n = p\ ■ P2 ■ ■ ■ Pk be the prime factor decomposition of n. The Jacobi symbol generalizes the 
Legendre symbol for all rings Z n in the following way: 

/x\ ( x \ / £ \ / x \ 

\n) \pi) \p 2 ) \Pk) ' 

Clearly, (^) = for all x not co-prime to n. Note that (^) = +1 does not always imply that there 
is a y with y 2 = x mod n. Take, for example, (|) = 1. 

For finite fields ¥ q , the Legendre symbol becomes the quadratic character %, which is defined 

( ifx = 
x(x) = \ +1 if there exists such that y 2 = x 

[ — 1 if for all y: y 2 7^ x. 

for all x G F ? . 

A. 2 Basic Properties 

The Legendre symbol, Jacobi symbol and quadratic character are all three multiplicative characters 
because they obey {xy/p) = (x/p)(y/p), (xy/n) = (x/n)(y/n), and x{xy) = x(x)x{y), respectively. 
This implies a series of results. 

Let g be a generator of Z*. Because the multiplicative subgroup has p— 1 elements, we know that 
g l = gi mod p if and only if i = j mod p — 1. Hence, the quadratic equation (g^) 2 = g 2 ^ = g % mod p 
is correct if and only if 2j = i mod p — 1 . 

For an odd prime p, there can only exists a j with (gi) 2 = g % mod p when i is even, as p — 1 
is even. Obviously, if i is even, then g 3 with j = | gives also a solution. In short: {g l /p) = (— 1)'. 
This proves that of the elements x of Z* are a quadratic residue with (x/p) = +1, while the 
other 2^ are non-squares. 

If p is even, then for all i either i or (i + p — 1) will be even. Hence, either j = | or j = l+p 2 ~ 1 
gives a proper solution to the equality (g ] ) 2 = g % mod p. This proves that all elements x G Z* are 
quadratic residues with (x/p) = +1. This rather redundant proof for the only existing case p = 2 
is justified by the following lemma. 
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Lemma 3 For any finite field F p r, we have for the summation of its quadratic character values 

V x(x) = { ifp is ° dd 

^ | rf — 1 if ' p is even. 

xew p r ^ 1 J 1 

Proof: Every multiplicative group F* r has a generator g with period p r — 1. Use this in combination 
with the proof method of the preceding paragraphs. □ 
We will reach a similar result for the summation of the Jacobi symbol values over Z n , when n 
is odd and squarefree. Let again n = p\ ■ ■ ■ p^ be the prime decomposition. The Chinese remainder 
theorem tells us that the mapping x G 7* n — > (x mod pi, ■ ■ ■ ,x mod pk) £ Z Pl x • • • x Z Pfe is a 
bijection. (All pi terms are different, because we assumed n to be square free.) This enables us to 
prove the following lemma. 

Lemma 4 Let n be an odd, square free integer. The summation of all the Jacobi values of Z n 
obeys 



Proof: Let n = Pi ■ ■ ■ Pk be the decomposition of n into its prime factors. The definition of the 
Jacobi symbol in combination with Chinese remainder theorem yields the equality 



^ (n 




By the previous lemma we know that each J2xez ( x /p) is zero, hence the above product is zero as 
well. ~ ' □ 

A. 3 Gaufi Sums 

Let ui p denote the complex root e 2m / p . The trace of an element x £ ¥ p r is defined by Tr(x) = 
X^=o X%P ■ I* can b e shown that for every x £ F p r, its trace is an element of the base-field: Tr(x) G 
F p . When we write ujJ t ^ we interpret the value Tr(x) as an element of the set {0, 1, . . . ,p— 1} C Z. 



Definition 5 For the field 7L V , the ring 7h n and the finite field ¥ p r we define the quadratic Gaufi 
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sum G by 



G(Zp) 
G(Z n ) 

G(¥ p r) 



■ i:e-- 



Tr(x) 



It is not immediately clear that this definition does not give contradicting values for the identical 
cases G(7j p ) and G(¥ p ). However, the next result shows that this conflict does not occur. We will 
not give the proofs of the following lemma as that goes far beyond the scope of this article. Instead, 
the curious reader is referred to the book by Berndt et al.^ 

Lemma 5 Let p be an odd prime and n an odd square free integer. The following equalities hold 
for the different quadratic Gaufi sums: 



G(Zp) 
G(Z n ) 

G(¥ p r) 



y/p if p = 1 mod 4 
if P = ^ mod 4 
n if n = 1 mod 4 
ii if n = 3 mod 4 

if p = 1 mod 4 and r is even 
if p = 1 mod 4 and r is odd 
if p = 3 mod 4 and r = mod 4 
if p = 3 mod 4 and r = 1 mod 4 
if p = 3 mod 4 and r = 2 mod 4 
if p = 3 mod 4 and r = 3 mod 4 



Note that indeed G(Z P ) = G(F P ). 
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